Vulnerabilities Rating System

For companies, a comprehensive information security strategy is, therefore, becoming increasingly important. On the one hand, this takes into account the complexity of the networks, but also developments in the threat landscape. It also determines which information security vulnerabilities require immediate attention. To use data collection and analytics to respond to threats and make strategic information security improvements, organizations need to focus on automation. Transforming pure data into useful and, most importantly, relevant information improves security measures, reduces IT costs, and cushions the organization’s growing security shortage. Information security vulnerabilities and are a complex issue, but with a robust model, you can achieve a lot of results. To have a qualitative information security risk assessment, I provided a scoring metric which is separated for different security controls. It does not only provide a quantitative baseline which can help the organization to make improvements, but it also provides the ability for everyone in the organization to have the prevailing opinion about security. The results generated by my proposed framework are based on a system of estimation of the probabilities which are calculated in the backend of the system. This system is designed to provide organizations with a better understanding of which identified high-priority vulnerabilities need to be closed. In my research I have analyzed

62 the CVSS (Common Vulnerability Scoring System) which is a risk assessment tool designed to identify the common attributes of several security issues. The reason I choose to analyze CVSS is that it includes a standardized vulnerability score that may be meaningful across the organization and also it is essential that CVSS is an open framework model and any metric is open and available to all users while also it helps organizations to prioritize the risk. The common vulnerability scoring system, or CVSS for short, is an industry standard that severity of a software security vulnerability or risk, as well as the priority and urgency to respond accordingly. This is reflected in a numerical score, from 0 [no threat] to 10 [very critical], which is calculated using defined criteria (metrics). The numerical score can be in one of four qualitative representations that can be translated. The qualitative presentations should help companies to correctly assess and prioritize their vulnerability management processes. So, there is one critical severity of a software vulnerability a greater and faster need for action than with low severity. CVSS enables different, incompatible rating systems to share their information with one another change. In CVSS, the various assessment criteria for vulnerability are divided into three different metric groups such as: Base Metric Group, Temporal Metric Group and Environmental Metric Group and this group contains each other’s metrics.

4.1.1 Base Metric Group

In the Base Metric Group, the essential characteristics of vulnerability are defined, which remain constant over a period of time and a user environment. There are two types of metrics in this group, the exploitability metrics and the Impact metrics. The exploitability metrics reflect the lightness and the required technical means, which were necessary to exploit the vulnerability, whereas the impact metrics the direct consequences of successful exploitation of the Represent vulnerability. The base metric group's metrics are specified by software providers and information security and vulnerability analysts, since they usually have the most precise information about the properties of a vulnerability.

4.1.2 Temporal Metric Group

The temporal metric group represents the characteristics of a Vulnerability that can change over time. This will make the time-dependent Vulnerability characteristics reflected and the CVSS score is corresponding to the adapted to current risks. The characteristics of the Temporal Metric Group include the availability of exploit kits or techniques, the progress in fixing the vulnerability and confirmation of the technical

63 details of the vulnerability. The three metrics can CVSS score even in the worst case (no exploit necessary [E: H], no solution available to fix vulnerabilities [RL: U], confirmation of the vulnerability [RC: C]) not increase. For example, releasing a patch can reduce the risk of a vulnerability, resulting in a reduction in the CVSS score of 5.0 affects 4.7. As with the Base Metric Group, the metrics of the Temporal Metric Group are specified by software providers and vulnerability analysts.

4.1.3 Environmental Metric Group

The environmental metric group represents the vulnerability characteristics that are relevant to a user environment. In this case, the implementation properties and the user environment are dependent on Vulnerability characteristics captured. The

Environmental Metric Group's metrics allow an analyst to incorporate security controls that can mitigate various consequences, as well as a higher or lower downgrading the weight of a vulnerable system depending on the business risk.

There are two types of metrics in the Environmental Metric Group, one of which is related to the user environment and the other deals with security requirements. These metrics allow analysts to tailor the CVSS score for specific user environments. How strong this adjustment can be on the one hand because of the importance of an affected IT for the users of a company, measured in terms of Confidentiality, Integrity and Availability, on the other hand by determining the consequences of a successful exploitation of the vulnerability, such as the proportion of PC workstations affected and potential of collateral damage. This is achieved, among other things, by rebalancing the impact metrics from the base Metric Group. For example, the integrity requirement determined in the Environmental Metric Group influences the assessment of the Base Metric Group's integrity impact. The metrics of the Environmental Metric Group are specified by Information Security and IT experts who are responsible for the corresponding system, because they are best able to assess the potential impact of a vulnerability in their own IT infrastructure.

According to the structure and function of CVSS and as well based on my proposed framework, I have created a score-based model 1 to 5 as follows:

64 Table 3 - Risk Assessment Proposed Scoring Model

Level Numerical

None 0.0

Low 0.1 – 3.9

Medium 4.0 – 6.9

High 7.0 – 8.9

Critical 9.0 - 10

Each of the security control groups will have a summarization of their result based on the user selections. The resulting score serves to guide the affected organization in the allocation of resources to address the vulnerability. The higher the severity rating, the more significant the potential impact of an exploit and the higher the urgency in addressing the vulnerability. While not as precise as the numeric CVSS scores, the qualitative labels are very useful for communicating with stakeholders who are unable to relate to the numeric scores.